Booker, a former CISO at UnitedHealth Group, says the attack also serves as a blaring reminder to healthcare organizations to “make sure you focus on the basics and essential security measures, like multifactor authentication, have them where you need them, which is everywhere, and have a way to know that what you’re doing is right, have an assurance capabilities that shows your stuff is working.”
Calls for more healthcare organizations to tighten security
Authors of the HIMSS report also called for more to be done, for instance, writing that “while almost two-thirds of respondents indicated that their board of directors are regularly briefed regarding cybersecurity risk, this number needs to be higher. Ideally, more healthcare organizations will embark upon the proactive journey of regularly briefing their boards of directors.”
The authors additionally called out the need for more supply chain risk management: “Less than half of respondents (41.92%) to this survey indicated that their organization has established a cybersecurity supply chain risk management program. The remainder of respondents (58.08%) indicated that they either did not have such a program or were unsure. The risk of not having a robust cybersecurity supply chain management program is that there may be too much dependency on one vendor or supplier.”
And HIMSS officials advocated for healthcare entities to adopt the NIST Cybersecurity Framework Version 2.0 and the recently released US Department of Health and Human Services’ voluntary cybersecurity performance goals (CPGs).
Others agree that such moves need to happen — and happen fast.
Sen. Ron Wyden, a Democrat representing Oregon and one of many US lawmakers calling for more scrutiny of UHG in the aftermath of the attack, has criticized the slow pace of action. He has faulted the Biden administration’s timeline for putting healthcare cybersecurity regulations — saying the yearend goal is too far out.
“Every new devastating hack hammers home the need for mandatory cybersecurity standards in the healthcare sector, particularly when it comes to the largest companies that millions of patients depend on for care and medicine,” Wyden says in a statement to CSO. “Without action, patients’ access to care and their personal health information will be compromised and ransomed by hackers over and over again.”
Weiss says healthcare security leaders and other sector executives got that message and they are working to learn lessons from the Change Healthcare incident and to implement additional security measures to improve their own security posture and their own resilience.
Benjamin Luthy, program director of cybersecurity and an adjunct professor at Champlain College Online, says it’s a worthwhile exercise: “Everyone can learn a lesson; anyone who leads a security or information technology program can learn from this.”